Secure your Aternity Deployment and Ensure Privacy

Aternity's security extends to both the server side and the Aternity Agent installed on your end user devices, applying a broad set of methods across all access points in the system.

SteelCentral Aternity™ offers secure connections to monitored devices and to users of the system

Aternity's security measures include:

Route Description

Aternity Agent collects and sends data to Aternity

The files (DLLs and EXEs) of the Aternity Agent are digitally signed to ensure no tampering.

The Agent runs securely on the device by employing several anti-hack security measures, including ASLR (randomizing memory addresses), DEP (validating code is run from expected locations) and SEH (ensuring only valid exception handlers).

When sending data, the Agent reports securely to Aternity via HTTPS.

The Agent uses TLS 1.1, or TLS 1.2 on devices with .NET 4.5 or later. You can also configure the Agent for two-way TLS authentication. For details, see the steps below.

Agent setup

The Agent setup package is digitally signed to guarantee the files are genuine.

Secure installation of the Aternity Agent
Aternity Recorder

The Aternity Recorder located on a monitored device is only active when you gather data to create custom activities, and even then, it is only active on that device for the limited time during the actual recording, with the explicit approval and interaction of the user on that device for that time.

Alternatively, for maximum security, you can configure the setup of the Aternity Agent to exclude the Recorder entirely from all monitored devices. If you create your own custom activities, which require the Recorder to find the start and end events of an activity, you can designate a specific device to perform those recordings for that time.

Access to Aternity

Aternity SaaS users access the system securely via HTTPS.

Alternatively, you can deploy SSO by authenticating users via your own identity provider, using SAML 2.0 as the protocol.

REST API queries

Analysts can send REST API queries to view Aternity data directly via HTTPS.

For details on configuring HTTPS for your REST API queries, see the steps below.

End-user privacy

Aternity does not store the contents of any documents, emails, or text messages. It only reports the performance of desktop applications, business-related web applications (in the white list), and mobile apps where you specifically embed Aternity functionality. It also gathers device data including location, and username to help you with troubleshooting.

To encrypt all user specific information (like hostnames and usernames), enable privacy mode in the Aternity Agent settings,

Example of encrypted fields when privacy is enabled on the device's Agent

Automatic timeout

By default the system has an automatic timeout, logging you out if the session has been idle for more than 3.5 hours.

Procedure

  1. Step 1 Configure the Agent setup to use a secured HTTPS connection, by specifying https:// in the address of the Aggregation Server in the Agent's setup parameters file.
    Tip

    You can also deploy two-way TLS authentication if required (Agent 9.0.7 or later only) by adding CLIENT_CERTIFICATE=AUTOMATIC in the Agent's setup parameters file.

  2. Step 2 To secure user access to the Aternity system and its dashboards, secure the Aternity Management Server.
    Secure the Management Server
    Tip

    For secure HTTPS (SSL) web access to Aternity, you must secure both the Aternity Management Server and the Aternity Dashboard Server.

    1. a On the computer which runs the Management Server, add your enterprise's certificate to the system's Java keystore file (.jks) using Java's keytool utility (see Oracle's keytool documentation).
    2. b On that same computer, launch the Configuration Tool from the Start menu, by right-clicking it and selecting Run as administrator to start.

      When you create any Aternity server it adds the Configuration Tool.

    3. c Select Reconfigure Server and select Next until you reach the Web Server Configuration screen.
    4. d Configure the server for HTTPS.
      Secure SSL connections to this server
      Field Description
      HTTP or HTTPS

      Select HTTPS if you want any connection to this server to be via HTTPS.

      Tip

      To see the Aternity's system-wide security settings, view the security overview of all components.

      Port

      Enter the port required to receive data from the monitored devices. The default for HTTPS is 443.

      Custom keystore

      Enter the pathname of the system's keystore containing only the certificate that verifies your company's identity. Additional certificates may interfere with single signon processes.

      You must add your enterprise's certificate to the system's Java keystore file (.jks) using Java's keytool utility (see Oracle's keytool documentation).

      Custom keystore password

      Enter the password required to access the system's keystore file.

    5. e Select Next repeatedly until you reach the end of the wizard, leaving all other values unchanged.

      This process forces a restart of the Windows service for this Aternity server.

  3. Step 3 To secure browser access to Aternity with HTTPS, configure the Dashboard Server to use your certificate files.
    Tip

    For secure HTTPS (SSL) web access to Aternity, you must secure both the Aternity Management Server and the Aternity Dashboard Server.

    Secure the Dashboard Server for secure access to Aternity
    1. a On the Dashboard Server itself, create a subdirectory in the Tableau directory called SSL.

      For example, D:\Tableau\Tableau Server\SSL.

    2. b Copy your signed certificate file (.crt) and the key file (.key) into this folder.
    3. c On the main Dashboard Server, stop the Tableau service by opening a command prompt as administrator and entering tabadmin stop.

      Navigate to <setup_dir>\Tableau\Tableau Server\<version>\bin then enter tabadmin stop

      Stop the server on the main Dashboard Server
    4. d Backup libeay32.dll and ssleay32.dll from the apache\bin directory (like C:\Program Files\Tableau\Tableau Server\9.3\apache\bin).
    5. e Download Win64OpenSSL_Light-1_0_2n.exe and launch it.
    6. f Copy the newly downloaded libeay32.dll and ssleay32.dll into the apache\bin directory.
    7. g Configure SSL by selecting Start > All Programs > Aternity Dashboard Server > Configure Tableau Server > SSL.
      Open the Tableau Server Configuration window
      Field Description
      Use SSL for server communication

      Select to enable SSL encrypted communication with other components.

      SSL certificate file

      Enter the pathname of the certificate (.crt) file.

      SSL certificate key file

      Enter the pathname of the key (.key) file.

    8. h Select OK.
    9. i On the Dashboard Server, start the Tableau service by opening a command prompt as administrator and entering tabadmin start.

      Navigate to <setup_dir>\Tableau\Tableau Server\<version>\bin then enter tabadmin start

      Start the Dashboard Server
  4. Step 4 After enabling SSL on the Tableau Server, you must also:
    • Enable SSL on the Aternity Dashboard Gateway Server, by reinstalling it. Update the Tableau Port to 443 and select Use SSL Transport. Learn more.

      The Dashboard Gateway is on the same computer as the Dashboard Server
    • Update the dashboard layouts again, after you enabled SSL by republishing them.

      Add the layouts from the Management Server into the Dashboard Server via Dashboard Gateway
  5. Step 5 Aternity automatically ends a session, disconnecting the user after a set time of inactivity.

    The default session timeout is 3.5 hours. An Administrator of Aternity can change this value.

    1. a Select the Gear Icon > Settings > Advanced Settings > mgmt > web > session-timeout.
    2. b Enter the number of minutes of inactivity before automatic logout.
      Tip

      Enter -1 to disable session timeouts completely.

      Change the time when the system automatically logs out
    3. c Select Apply.
  6. Step 6 In rare cases when the Aternity Dashboard Server's URL is not visible to Aternity users (due to firewall or other topology reasons), you can add its address directly to the Management Server.

    Select the Gear Icon > Settings > Advanced Settings > tableau > externalAddress.

    Enter the full URL (protocol and address) of the Aternity Dashboard Server. For example, https://myaternity-dashboards.company.com:8081.

  7. Step 7 If you deployed a single Aggregation Server, configure it for HTTPS using the server-side Configuration Tool:
    Secure your Aggregation Server
    1. a On the computer which runs the Aggregation Server, add your enterprise's certificate to the system's Java keystore file (.jks) using Java's keytool utility (see Oracle's keytool documentation).
    2. b On that same computer, launch the Configuration Tool from the Start menu, by right-clicking it and selecting Run as administrator to start.

      When you create any Aternity server it adds the Configuration Tool.

    3. c Select Reconfigure Server and select Next until you reach the Web Server Configuration screen.
    4. d Configure the server for HTTPS.
      Secure SSL connections to this server
      Field Description
      HTTP or HTTPS

      Select HTTPS if you want any connection to this server to be via HTTPS.

      Tip

      To see the Aternity's system-wide security settings, view the security overview of all components.

      Port

      Enter the port required to receive data from the monitored devices. The default for HTTPS is 443.

      Custom keystore

      Enter the pathname of the system's keystore containing only the certificate that verifies your company's identity. Additional certificates may interfere with single signon processes.

      You must add your enterprise's certificate to the system's Java keystore file (.jks) using Java's keytool utility (see Oracle's keytool documentation).

      Custom keystore password

      Enter the password required to access the system's keystore file.

    5. e Select Next repeatedly until you reach the end of the wizard, leaving all other values unchanged.

      This process forces a restart of the Windows service for this Aternity server.

    6. f Configure the Agent setup to use a secured HTTPS connection, by specifying https:// in the address of the Aggregation Server in the Agent's setup parameters file.
  8. Step 8 If you deployed several Aggregation Servers with a load balancer (LB), encrypt the connection to the LB only.

    Install your enterprise's certificate on the load balancer (LB). You do not need to encrypt the connections between LB and the Aggregation Servers. For more information, on securing your LB, consult the vendor's documentation.

    Secure the load balancer if you have more than one Aggregation Server
  9. Step 9 To protect end user privacy, you can configure the Aternity Agent on a device (or all devices) to display data anonymously.

    Configure the Aternity Agent to report data anonymously, by adding ENFORCE_PRIVACY=true to the Agent's setup parameters.

    It encrypts all attributes which can identify a user, like the username, hostname, IP address and so on. For details, see the Agent's setup parameters .

  10. Step 10 To secure REST API queries, or SteelCentral Portal™'s access to the Aternity Data Source, route all access to those services via a secured load balancer or proxy server.

    Install your enterprise's certificate on the load balancer (LB) or proxy. You do not need to encrypt the connections between LB and the Aternity Data Source / Aternity REST API Server. For more information, on securing your LB, consult the vendor's documentation.

    Secure access to the Aternity REST API Server or Aternity Data Source for Portal
  11. Step 11 Periodically change the passwords on the servers in your Aternity installation, for security reasons and to comply with corporate policy.